
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" lang="zh_Hans">
  <head>
    <meta http-equiv="X-UA-Compatible" content="IE=Edge" />
    <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
    <title>Django 3.2.4 release notes &#8212; Django 3.2.6.dev 文档</title>
    <link rel="stylesheet" href="../_static/default.css" type="text/css" />
    <link rel="stylesheet" href="../_static/pygments.css" type="text/css" />
    <script type="text/javascript" id="documentation_options" data-url_root="../" src="../_static/documentation_options.js"></script>
    <script type="text/javascript" src="../_static/jquery.js"></script>
    <script type="text/javascript" src="../_static/underscore.js"></script>
    <script type="text/javascript" src="../_static/doctools.js"></script>
    <script type="text/javascript" src="../_static/language_data.js"></script>
    <link rel="index" title="索引" href="../genindex.html" />
    <link rel="search" title="搜索" href="../search.html" />
    <link rel="next" title="Django 3.2.3 release notes" href="3.2.3.html" />
    <link rel="prev" title="Django 3.2.5 release notes" href="3.2.5.html" />



 
<script src="../templatebuiltins.js"></script>
<script>
(function($) {
    if (!django_template_builtins) {
       // templatebuiltins.js missing, do nothing.
       return;
    }
    $(document).ready(function() {
        // Hyperlink Django template tags and filters
        var base = "../ref/templates/builtins.html";
        if (base == "#") {
            // Special case for builtins.html itself
            base = "";
        }
        // Tags are keywords, class '.k'
        $("div.highlight\\-html\\+django span.k").each(function(i, elem) {
             var tagname = $(elem).text();
             if ($.inArray(tagname, django_template_builtins.ttags) != -1) {
                 var fragment = tagname.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + tagname + "</a>");
             }
        });
        // Filters are functions, class '.nf'
        $("div.highlight\\-html\\+django span.nf").each(function(i, elem) {
             var filtername = $(elem).text();
             if ($.inArray(filtername, django_template_builtins.tfilters) != -1) {
                 var fragment = filtername.replace(/_/, '-');
                 $(elem).html("<a href='" + base + "#" + fragment + "'>" + filtername + "</a>");
             }
        });
    });
})(jQuery);</script>

  </head><body>

    <div class="document">
  <div id="custom-doc" class="yui-t6">
    <div id="hd">
      <h1><a href="../index.html">Django 3.2.6.dev 文档</a></h1>
      <div id="global-nav">
        <a title="Home page" href="../index.html">Home</a>  |
        <a title="Table of contents" href="../contents.html">Table of contents</a>  |
        <a title="Global index" href="../genindex.html">Index</a>  |
        <a title="Module index" href="../py-modindex.html">Modules</a>
      </div>
      <div class="nav">
    &laquo; <a href="3.2.5.html" title="Django 3.2.5 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="3.2.3.html" title="Django 3.2.3 release notes">next</a> &raquo;</div>
    </div>

    <div id="bd">
      <div id="yui-main">
        <div class="yui-b">
          <div class="yui-g" id="releases-3.2.4">
            
  <div class="section" id="s-django-3-2-4-release-notes">
<span id="django-3-2-4-release-notes"></span><h1>Django 3.2.4 release notes<a class="headerlink" href="#django-3-2-4-release-notes" title="永久链接至标题">¶</a></h1>
<p><em>June 2, 2021</em></p>
<p>Django 3.2.4 fixes two security issues and several bugs in 3.2.3.</p>
<div class="section" id="s-cve-2021-33203-potential-directory-traversal-via-admindocs">
<span id="cve-2021-33203-potential-directory-traversal-via-admindocs"></span><h2>CVE-2021-33203: Potential directory traversal via <code class="docutils literal notranslate"><span class="pre">admindocs</span></code><a class="headerlink" href="#cve-2021-33203-potential-directory-traversal-via-admindocs" title="永久链接至标题">¶</a></h2>
<p>Staff members could use the <a class="reference internal" href="../ref/contrib/admin/admindocs.html#module-django.contrib.admindocs" title="django.contrib.admindocs: Django's admin documentation generator."><code class="xref py py-mod docutils literal notranslate"><span class="pre">admindocs</span></code></a>
<code class="docutils literal notranslate"><span class="pre">TemplateDetailView</span></code> view to check the existence of arbitrary files.
Additionally, if (and only if) the default admindocs templates have been
customized by the developers to also expose the file contents, then not only
the existence but also the file contents would have been exposed.</p>
<p>As a mitigation, path sanitation is now applied and only files within the
template root directories can be loaded.</p>
</div>
<div class="section" id="s-cve-2021-33571-possible-indeterminate-ssrf-rfi-and-lfi-attacks-since-validators-accepted-leading-zeros-in-ipv4-addresses">
<span id="cve-2021-33571-possible-indeterminate-ssrf-rfi-and-lfi-attacks-since-validators-accepted-leading-zeros-in-ipv4-addresses"></span><h2>CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses<a class="headerlink" href="#cve-2021-33571-possible-indeterminate-ssrf-rfi-and-lfi-attacks-since-validators-accepted-leading-zeros-in-ipv4-addresses" title="永久链接至标题">¶</a></h2>
<p><a class="reference internal" href="../ref/validators.html#django.core.validators.URLValidator" title="django.core.validators.URLValidator"><code class="xref py py-class docutils literal notranslate"><span class="pre">URLValidator</span></code></a>,
<a class="reference internal" href="../ref/validators.html#django.core.validators.validate_ipv4_address" title="django.core.validators.validate_ipv4_address"><code class="xref py py-func docutils literal notranslate"><span class="pre">validate_ipv4_address()</span></code></a>, and
<a class="reference internal" href="../ref/validators.html#django.core.validators.validate_ipv46_address" title="django.core.validators.validate_ipv46_address"><code class="xref py py-func docutils literal notranslate"><span class="pre">validate_ipv46_address()</span></code></a> didn't prohibit leading
zeros in octal literals. If you used such values you could suffer from
indeterminate SSRF, RFI, and LFI attacks.</p>
<p><a class="reference internal" href="../ref/validators.html#django.core.validators.validate_ipv4_address" title="django.core.validators.validate_ipv4_address"><code class="xref py py-func docutils literal notranslate"><span class="pre">validate_ipv4_address()</span></code></a> and
<a class="reference internal" href="../ref/validators.html#django.core.validators.validate_ipv46_address" title="django.core.validators.validate_ipv46_address"><code class="xref py py-func docutils literal notranslate"><span class="pre">validate_ipv46_address()</span></code></a> validators were not
affected on Python 3.9.5+.</p>
</div>
<div class="section" id="s-bugfixes">
<span id="bugfixes"></span><h2>Bugfixes<a class="headerlink" href="#bugfixes" title="永久链接至标题">¶</a></h2>
<ul class="simple">
<li>Fixed a bug in Django 3.2 where a final catch-all view in the admin didn't
respect the server-provided value of <code class="docutils literal notranslate"><span class="pre">SCRIPT_NAME</span></code> when redirecting
unauthenticated users to the login page (<a class="reference external" href="https://code.djangoproject.com/ticket/32754">#32754</a>).</li>
<li>Fixed a bug in Django 3.2 where a system check would crash on an abstract
model (<a class="reference external" href="https://code.djangoproject.com/ticket/32733">#32733</a>).</li>
<li>Prevented unnecessary initialization of unused caches following a regression
in Django 3.2 (<a class="reference external" href="https://code.djangoproject.com/ticket/32747">#32747</a>).</li>
<li>Fixed a crash in Django 3.2 that could occur when running <code class="docutils literal notranslate"><span class="pre">mod_wsgi</span></code> with
the recommended settings while the Windows <code class="docutils literal notranslate"><span class="pre">colorama</span></code> library was installed
(<a class="reference external" href="https://code.djangoproject.com/ticket/32740">#32740</a>).</li>
<li>Fixed a bug in Django 3.2 that would trigger the auto-reloader for template
changes when directory paths were specified with strings (<a class="reference external" href="https://code.djangoproject.com/ticket/32744">#32744</a>).</li>
<li>Fixed a regression in Django 3.2 that caused a crash of auto-reloader with
<code class="docutils literal notranslate"><span class="pre">AttributeError</span></code>, e.g. inside a <code class="docutils literal notranslate"><span class="pre">Conda</span></code> environment (<a class="reference external" href="https://code.djangoproject.com/ticket/32783">#32783</a>).</li>
<li>Fixed a regression in Django 3.2 that caused a loss of precision for
operations with <code class="docutils literal notranslate"><span class="pre">DecimalField</span></code> on MySQL (<a class="reference external" href="https://code.djangoproject.com/ticket/32793">#32793</a>).</li>
</ul>
</div>
</div>


          </div>
        </div>
      </div>
      
        
          <div class="yui-b" id="sidebar">
            
      <div class="sphinxsidebar" role="navigation" aria-label="main navigation">
        <div class="sphinxsidebarwrapper">
  <h3><a href="../contents.html">Table of Contents</a></h3>
  <ul>
<li><a class="reference internal" href="#">Django 3.2.4 release notes</a><ul>
<li><a class="reference internal" href="#cve-2021-33203-potential-directory-traversal-via-admindocs">CVE-2021-33203: Potential directory traversal via <code class="docutils literal notranslate"><span class="pre">admindocs</span></code></a></li>
<li><a class="reference internal" href="#cve-2021-33571-possible-indeterminate-ssrf-rfi-and-lfi-attacks-since-validators-accepted-leading-zeros-in-ipv4-addresses">CVE-2021-33571: Possible indeterminate SSRF, RFI, and LFI attacks since validators accepted leading zeros in IPv4 addresses</a></li>
<li><a class="reference internal" href="#bugfixes">Bugfixes</a></li>
</ul>
</li>
</ul>

  <h4>上一个主题</h4>
  <p class="topless"><a href="3.2.5.html"
                        title="上一章">Django 3.2.5 release notes</a></p>
  <h4>下一个主题</h4>
  <p class="topless"><a href="3.2.3.html"
                        title="下一章">Django 3.2.3 release notes</a></p>
  <div role="note" aria-label="source link">
    <h3>本页</h3>
    <ul class="this-page-menu">
      <li><a href="../_sources/releases/3.2.4.txt"
            rel="nofollow">显示源代码</a></li>
    </ul>
   </div>
<div id="searchbox" style="display: none" role="search">
  <h3>快速搜索</h3>
    <div class="searchformwrapper">
    <form class="search" action="../search.html" method="get">
      <input type="text" name="q" />
      <input type="submit" value="转向" />
      <input type="hidden" name="check_keywords" value="yes" />
      <input type="hidden" name="area" value="default" />
    </form>
    </div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
        </div>
      </div>
              <h3>Last update:</h3>
              <p class="topless">7月 23, 2021</p>
          </div>
        
      
    </div>

    <div id="ft">
      <div class="nav">
    &laquo; <a href="3.2.5.html" title="Django 3.2.5 release notes">previous</a>
     |
    <a href="index.html" title="Release notes" accesskey="U">up</a>
   |
    <a href="3.2.3.html" title="Django 3.2.3 release notes">next</a> &raquo;</div>
    </div>
  </div>

      <div class="clearer"></div>
    </div>
  </body>
</html>